this post was submitted on 29 Jul 2024
383 points (99.5% liked)

Programming

17528 readers
254 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Eezyville 9 points 3 months ago* (last edited 3 months ago) (1 children)

lmao! Man that's hilarious!

"We have a memory leak that could lead to a security issue.We should do something about it."

"I made a process that periodically kills those tasks. No one will notice the problem now."

The unicorn killer will have a memory leak as well. πŸ’€

[–] [email protected] 7 points 3 months ago (1 children)

I had to look it up to check my memory. Yup! https://about.gitlab.com/blog/2015/06/05/how-gitlab-uses-unicorn-and-unicorn-worker-killer/

I don't think memory leaks could ever amount to a security vulnerability, but it just feels yucky. I guess I shouldn't cast stones, I write C++ at work.

[–] [email protected] 3 points 3 months ago (1 children)

I don’t think memory leaks could ever amount to a security vulnerability

In theory it could, after all there are technically denial-of-service vulnerabilities (not DoS/DDoS attacks, that is something different) according to CVE Numbering Athorities.

[–] [email protected] 1 points 3 months ago (1 children)

Maybe I'm misunderstanding you, but DoS is exactly the same thing as "denial of service".

My point is that memory leaks can only degrade availability; they are categorically distinct from security vulnerabilities.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago) (1 children)

I think you might be misunderstanding me.

According to the CVE Numbering Athorities, there can be vulnerabilities that result in service being denied, and they refer to them as a denial-of-service vulnerability. For example, there can be a bug in a program that causes it to crash if you perform a certain set of steps/actions, thus resulting in the service being denied. Whereas traditionally, a DoS/DDoS attack is simply flooding a target with more bandwidth than they have available downstream bandwidth. Sending massive amounts of data to overwhelm a service is not the same thing as finding a unique set of actions to cause the program to crash.

So in theory, yes, a memory leak could amount to and result in a security vulnerability, like if the memory leak is reproducible and so severe it causes a service to crash.

[–] [email protected] 2 points 3 months ago

Aha, I didn't realize compromising availability was sufficient for the CVE definition of security vulnerability. Projects I've worked on have typically excluded availability, though that may not be the norm.

And I see your point about some exploits being highly asymmetric in the attacker's favor, compared to classic [D]DoS.